Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data,
or to override valuable ones, or even to execute dangerous system level commands on the database host.
This is accomplished by the application taking user input and combining it with static parameters to build an SQL query .
PoC代码[已公开]
id: sqli-error-based
info:
name: Error based SQL Injection
author: geeknik,pdteam
severity: critical
description: |
Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data,
or to override valuable ones, or even to execute dangerous system level commands on the database host.
This is accomplished by the application taking user input and combining it with static parameters to build an SQL query .
metadata:
max-request: 3
tags: sqli,error,dast
http:
- pre-condition:
- type: dsl
dsl:
- 'method != "OPTIONS"'
payloads:
injection:
- "'"
- "\""
- ";"
fuzzing:
- part: request
type: postfix
mode: single
fuzz:
- "{{injection}}"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Adminer"
negative: true
# False Positive
- type: regex
regex:
# MySQL
- "SQL syntax.*?MySQL"
- "Warning.*?\\Wmysqli?_"
- "MySQLSyntaxErrorException"
- "valid MySQL result"
- "check the manual that (corresponds to|fits) your MySQL server version"
- "Unknown column '[^ ]+' in 'field list'"
- "MySqlClient\\."
- "com\\.mysql\\.jdbc"
- "Zend_Db_(Adapter|Statement)_Mysqli_Exception"
- "Pdo[./_\\\\]Mysql"
- "MySqlException"
- "SQLSTATE\\[\\d+\\]: Syntax error or access violation"
# MariaDB
- "check the manual that (corresponds to|fits) your MariaDB server version"
# Drizzle
- "check the manual that (corresponds to|fits) your Drizzle server version"
# MemSQL
- "MemSQL does not support this type of query"
- "is not supported by MemSQL"
- "unsupported nested scalar subselect"
# PostgreSQL
- "PostgreSQL.*?ERROR"
- "Warning.*?\\Wpg_"
- "valid PostgreSQL result"
- "Npgsql\\."
- "PG::SyntaxError:"
- "org\\.postgresql\\.util\\.PSQLException"
- "ERROR:\\s\\ssyntax error at or near"
- "ERROR: parser: parse error at or near"
- "PostgreSQL query failed"
- "org\\.postgresql\\.jdbc"
- "Pdo[./_\\\\]Pgsql"
- "PSQLException"
# Microsoft SQL Server
- "Driver.*? SQL[\\-\\_\\ ]*Server"
- "OLE DB.*? SQL Server"
- "\\bSQL Server[^<"]+Driver"
- "Warning.*?\\W(mssql|sqlsrv)_"
- "\\bSQL Server[^<"]+[0-9a-fA-F]{8}"
- "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)"
- "(?s)Exception.*?\\bRoadhouse\\.Cms\\."
- "Microsoft SQL Native Client error '[0-9a-fA-F]{8}"
- "\\[SQL Server\\]"
- "ODBC SQL Server Driver"
- "ODBC Driver \\d+ for SQL Server"
- "SQLServer JDBC Driver"
- "com\\.jnetdirect\\.jsql"
- "macromedia\\.jdbc\\.sqlserver"
- "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception"
- "com\\.microsoft\\.sqlserver\\.jdbc"
- "Pdo[./_\\\\](Mssql|SqlSrv)"
- "SQL(Srv|Server)Exception"
- "Unclosed quotation mark after the character string"
# Microsoft Access
- "Microsoft Access (\\d+ )?Driver"
- "JET Database Engine"
- "Access Database Engine"
- "ODBC Microsoft Access"
- "Syntax error \\(missing operator\\) in query expression"
# Oracle
- "\\bORA-\\d{5}"
- "Oracle error"
- "Oracle.*?Driver"
- "Warning.*?\\W(oci|ora)_"
- "quoted string not properly terminated"
- "SQL command not properly ended"
- "macromedia\\.jdbc\\.oracle"
- "oracle\\.jdbc"
- "Zend_Db_(Adapter|Statement)_Oracle_Exception"
- "Pdo[./_\\\\](Oracle|OCI)"
- "OracleException"
# IBM DB2
- "CLI Driver.*?DB2"
- "DB2 SQL error"
- "\\bdb2_\\w+\\("
- "SQLCODE[=:\\d, -]+SQLSTATE"
- "com\\.ibm\\.db2\\.jcc"
- "Zend_Db_(Adapter|Statement)_Db2_Exception"
- "Pdo[./_\\\\]Ibm"
- "DB2Exception"
- "ibm_db_dbi\\.ProgrammingError"
# Informix
- "Warning.*?\\Wifx_"
- "Exception.*?Informix"
- "Informix ODBC Driver"
- "ODBC Informix driver"
- "com\\.informix\\.jdbc"
- "weblogic\\.jdbc\\.informix"
- "Pdo[./_\\\\]Informix"
- "IfxException"
# Firebird
- "Dynamic SQL Error"
- "Warning.*?\\Wibase_"
- "org\\.firebirdsql\\.jdbc"
- "Pdo[./_\\\\]Firebird"
# SQLite
- "SQLite/JDBCDriver"
- "SQLite\\.Exception"
- "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException"
- "Warning.*?\\W(sqlite_|SQLite3::)"
- "SQLITE_ERROR"
- "SQLite error \\d+:"
- "sqlite3.OperationalError:"
- "SQLite3::SQLException"
- "org\\.sqlite\\.JDBC"
- "Pdo[./_\\\\]Sqlite"
- "SQLiteException"
# SAP MaxDB
- "SQL error.*?POS([0-9]+)"
- "Warning.*?\\Wmaxdb_"
- "DriverSapDB"
- "-3014.*?Invalid end of SQL statement"
- "com\\.sap\\.dbtech\\.jdbc"
- "\\[-3008\\].*?: Invalid keyword or missing delimiter"
# Sybase
- "Warning.*?\\Wsybase_"
- "Sybase message"
- "Sybase.*?Server message"
- "SybSQLException"
- "Sybase\\.Data\\.AseClient"
- "com\\.sybase\\.jdbc"
# Ingres
- "Warning.*?\\Wingres_"
- "Ingres SQLSTATE"
- "Ingres\\W.*?Driver"
- "com\\.ingres\\.gcf\\.jdbc"
# FrontBase
- "Exception (condition )?\\d+\\. Transaction rollback"
- "com\\.frontbase\\.jdbc"
- "Syntax error 1. Missing"
- "(Semantic|Syntax) error [1-4]\\d{2}\\."
# HSQLDB
- "Unexpected end of command in statement \\["
- "Unexpected token.*?in statement \\["
- "org\\.hsqldb\\.jdbc"
# H2
- "org\\.h2\\.jdbc"
- "\\[42000-192\\]"
# MonetDB
- "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)"
- "\\[MonetDB\\]\\[ODBC Driver"
- "nl\\.cwi\\.monetdb\\.jdbc"
# Apache Derby
- "Syntax error: Encountered"
- "org\\.apache\\.derby"
- "ERROR 42X01"
# Vertica
- ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):"
- "/vertica/Parser/scan"
- "com\\.vertica\\.jdbc"
- "org\\.jkiss\\.dbeaver\\.ext\\.vertica"
- "com\\.vertica\\.dsi\\.dataengine"
# Mckoi
- "com\\.mckoi\\.JDBCDriver"
- "com\\.mckoi\\.database\\.jdbc"
- "<REGEX_LITERAL>"
# Presto
- "com\\.facebook\\.presto\\.jdbc"
- "io\\.prestosql\\.jdbc"
- "com\\.simba\\.presto\\.jdbc"
- "UNION query has different number of fields: \\d+, \\d+"
# Altibase
- "Altibase\\.jdbc\\.driver"
# MimerSQL
- "com\\.mimer\\.jdbc"
- "Syntax error,[^\\n]+assumed to mean"
# CrateDB
- "io\\.crate\\.client\\.jdbc"
# Cache
- "encountered after end of query"
- "A comparison operator is required here"
# Raima Database Manager
- "-10048: Syntax error"
- "rdmStmtPrepare\\(.+?\\) returned"
# Virtuoso
- "SQ074: Line \\d+:"
- "SR185: Undefined procedure"
- "SQ200: No table "
- "Virtuoso S0002 Error"
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
condition: or
extractors:
- type: regex
name: mysql
regex:
- "SQL syntax.*?MySQL"
- "Warning.*?\\Wmysqli?_"
- "MySQLSyntaxErrorException"
- "valid MySQL result"
- "check the manual that (corresponds to|fits) your MySQL server version"
- "Unknown column '[^ ]+' in 'field list'"
- "MySqlClient\\."
- "com\\.mysql\\.jdbc"
- "Zend_Db_(Adapter|Statement)_Mysqli_Exception"
- "Pdo[./_\\\\]Mysql"
- "MySqlException"
- "SQLSTATE[\\d+]: Syntax error or access violation"
- type: regex
name: mariadb
regex:
- "check the manual that (corresponds to|fits) your MariaDB server version"
- type: regex
name: drizzel
regex:
- "check the manual that (corresponds to|fits) your Drizzle server version"
- type: regex
name: memsql
regex:
- "MemSQL does not support this type of query"
- "is not supported by MemSQL"
- "unsupported nested scalar subselect"
- type: regex
name: postgresql
regex:
- "PostgreSQL.*?ERROR"
- "Warning.*?\\Wpg_"
- "valid PostgreSQL result"
- "Npgsql\\."
- "PG::SyntaxError:"
- "org\\.postgresql\\.util\\.PSQLException"
- "ERROR:\\s\\ssyntax error at or near"
- "ERROR: parser: parse error at or near"
- "PostgreSQL query failed"
- "org\\.postgresql\\.jdbc"
- "Pdo[./_\\\\]Pgsql"
- "PSQLException"
- type: regex
name: microsoftsqlserver
regex:
- "Driver.*? SQL[\\-\\_\\ ]*Server"
- "OLE DB.*? SQL Server"
- "\\bSQL Server[^<"]+Driver"
- "Warning.*?\\W(mssql|sqlsrv)_"
- "\\bSQL Server[^<"]+[0-9a-fA-F]{8}"
- "System\\.Data\\.SqlClient\\.SqlException\\.(SqlException|SqlConnection\\.OnError)"
- "(?s)Exception.*?\\bRoadhouse\\.Cms\\."
- "Microsoft SQL Native Client error '[0-9a-fA-F]{8}"
- "\\[SQL Server\\]"
- "ODBC SQL Server Driver"
- "ODBC Driver \\d+ for SQL Server"
- "SQLServer JDBC Driver"
- "com\\.jnetdirect\\.jsql"
- "macromedia\\.jdbc\\.sqlserver"
- "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception"
- "com\\.microsoft\\.sqlserver\\.jdbc"
- "Pdo[./_\\\\](Mssql|SqlSrv)"
- "SQL(Srv|Server)Exception"
- "Unclosed quotation mark after the character string"
- type: regex
name: microsoftaccess
regex:
- "Microsoft Access (\\d+ )?Driver"
- "JET Database Engine"
- "Access Database Engine"
- "ODBC Microsoft Access"
- "Syntax error \\(missing operator\\) in query expression"
- type: regex
name: oracle
regex:
- "\\bORA-\\d{5}"
- "Oracle error"
- "Oracle.*?Driver"
- "Warning.*?\\W(oci|ora)_"
- "quoted string not properly terminated"
- "SQL command not properly ended"
- "macromedia\\.jdbc\\.oracle"
- "oracle\\.jdbc"
- "Zend_Db_(Adapter|Statement)_Oracle_Exception"
- "Pdo[./_\\\\](Oracle|OCI)"
- "OracleException"
- type: regex
name: ibmdb2
regex:
- "CLI Driver.*?DB2"
- "DB2 SQL error"
- "\\bdb2_\\w+\\("
- "SQLCODE[=:\\d, -]+SQLSTATE"
- "com\\.ibm\\.db2\\.jcc"
- "Zend_Db_(Adapter|Statement)_Db2_Exception"
- "Pdo[./_\\\\]Ibm"
- "DB2Exception"
- "ibm_db_dbi\\.ProgrammingError"
- type: regex
name: informix
regex:
- "Warning.*?\\Wifx_"
- "Exception.*?Informix"
- "Informix ODBC Driver"
- "ODBC Informix driver"
- "com\\.informix\\.jdbc"
- "weblogic\\.jdbc\\.informix"
- "Pdo[./_\\\\]Informix"
- "IfxException"
- type: regex
name: firebird
regex:
- "Dynamic SQL Error"
- "Warning.*?\\Wibase_"
- "org\\.firebirdsql\\.jdbc"
- "Pdo[./_\\\\]Firebird"
- type: regex
name: sqlite
regex:
- "SQLite/JDBCDriver"
- "SQLite\\.Exception"
- "(Microsoft|System)\\.Data\\.SQLite\\.SQLiteException"
- "Warning.*?\\W(sqlite_|SQLite3::)"
- "SQLITE_ERROR"
- "SQLite error \\d+:"
- "sqlite3.OperationalError:"
- "SQLite3::SQLException"
- "org\\.sqlite\\.JDBC"
- "Pdo[./_\\\\]Sqlite"
- "SQLiteException"
- type: regex
name: sapmaxdb
regex:
- "SQL error.*?POS([0-9]+)"
- "Warning.*?\\Wmaxdb_"
- "DriverSapDB"
- "-3014.*?Invalid end of SQL statement"
- "com\\.sap\\.dbtech\\.jdbc"
- "\\[-3008\\].*?: Invalid keyword or missing delimiter"
- type: regex
name: sybase
regex:
- "Warning.*?\\Wsybase_"
- "Sybase message"
- "Sybase.*?Server message"
- "SybSQLException"
- "Sybase\\.Data\\.AseClient"
- "com\\.sybase\\.jdbc"
- type: regex
name: ingres
regex:
- "Warning.*?\\Wingres_"
- "Ingres SQLSTATE"
- "Ingres\\W.*?Driver"
- "com\\.ingres\\.gcf\\.jdbc"
- type: regex
name: frontbase
regex:
- "Exception (condition )?\\d+\\. Transaction rollback"
- "com\\.frontbase\\.jdbc"
- "Syntax error 1. Missing"
- "(Semantic|Syntax) error \\[1-4\\]\\d{2}\\."
- type: regex
name: hsqldb
regex:
- "Unexpected end of command in statement \\["
- "Unexpected token.*?in statement \\["
- "org\\.hsqldb\\.jdbc"
- type: regex
name: h2
regex:
- "org\\.h2\\.jdbc"
- "\\[42000-192\\]"
- type: regex
name: monetdb
regex:
- "![0-9]{5}![^\\n]+(failed|unexpected|error|syntax|expected|violation|exception)"
- "\\[MonetDB\\]\\[ODBC Driver"
- "nl\\.cwi\\.monetdb\\.jdbc"
- type: regex
name: apachederby
regex:
- "Syntax error: Encountered"
- "org\\.apache\\.derby"
- "ERROR 42X01"
- type: regex
name: vertica
regex:
- ", Sqlstate: (3F|42).{3}, (Routine|Hint|Position):"
- "/vertica/Parser/scan"
- "com\\.vertica\\.jdbc"
- "org\\.jkiss\\.dbeaver\\.ext\\.vertica"
- "com\\.vertica\\.dsi\\.dataengine"
- type: regex
name: mckoi
regex:
- "com\\.mckoi\\.JDBCDriver"
- "com\\.mckoi\\.database\\.jdbc"
- "<REGEX_LITERAL>"
- type: regex
name: presto
regex:
- "com\\.facebook\\.presto\\.jdbc"
- "io\\.prestosql\\.jdbc"
- "com\\.simba\\.presto\\.jdbc"
- "UNION query has different number of fields: \\d+, \\d+"
- type: regex
name: altibase
regex:
- "Altibase\\.jdbc\\.driver"
- type: regex
name: mimersql
regex:
- "com\\.mimer\\.jdbc"
- "Syntax error,[^\\n]+assumed to mean"
- type: regex
name: cratedb
regex:
- "io\\.crate\\.client\\.jdbc"
- type: regex
name: cache
regex:
- "encountered after end of query"
- "A comparison operator is required here"
- type: regex
name: raimadatabasemanager
regex:
- "-10048: Syntax error"
- "rdmStmtPrepare\\(.+?\\) returned"
- type: regex
name: virtuoso
regex:
- "SQ074: Line \\d+:"
- "SR185: Undefined procedure"
- "SQ200: No table "
- "Virtuoso S0002 Error"
- "\\[(Virtuoso Driver|Virtuoso iODBC Driver)\\]\\[Virtuoso Server\\]"
# digest: 4b0a00483046022100aa148dd908d30fe373522fd4b169a8c92376ca39b7eb6c41dbbfde1f0be384cf022100810e9ae8300cec98d33500199a98614dffe88f94777533129e5a3a8542084f5a:922c64590222798bb761d5b6d8e72950